From 3d1a2c12ec239d693e99e442b8da90fec26f0a00 Mon Sep 17 00:00:00 2001
From: Matthew Wright <matthew.wright@securityonionsolutions.com>
Date: Tue, 17 Feb 2026 13:17:12 -0500
Subject: [PATCH] add investigated query toggle filter

---
 salt/soc/defaults.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index bbe9558e9..fb25a9c09 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -2380,6 +2380,10 @@ soc:
               exclusive: true
               enablesToggles:
                 - acknowledged
+            - name: investigated
+              filter: event.investigated:true
+              enabled: false
+              exclusive: false
           queries:
             - name: 'Group By Name, Module'
               query: '* | groupby rule.name event.module* event.severity_label rule.uuid'